| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Nov 2017 02:21:51 +0000
From: Parav Pandit <parav@...lanox.com>
To: Qing Huang <qing.huang@...cle.com>,
"linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "dledford@...hat.com" <dledford@...hat.com>,
"sean.hefty@...el.com" <sean.hefty@...el.com>,
"hal.rosenstock@...il.com" <hal.rosenstock@...il.com>,
"ira.weiny@...el.com" <ira.weiny@...el.com>,
"Mark Bloch" <markb@...lanox.com>
Subject: RE: [PATCH] IB/CM: fix memory corruption by avoiding unnecessary
memset
Hi Qing,
> -----Original Message-----
> From: linux-rdma-owner@...r.kernel.org [mailto:linux-rdma-
> owner@...r.kernel.org] On Behalf Of Qing Huang
> Sent: Thursday, November 02, 2017 6:22 PM
> To: linux-rdma@...r.kernel.org; linux-kernel@...r.kernel.org
> Cc: dledford@...hat.com; sean.hefty@...el.com; hal.rosenstock@...il.com;
> ira.weiny@...el.com; Mark Bloch <markb@...lanox.com>; Qing Huang
> <qing.huang@...cle.com>
> Subject: [PATCH] IB/CM: fix memory corruption by avoiding unnecessary
> memset
>
> The size of path array could be dynamic. However the fixed number(2) of
> memset could cause memory corruption by writing into wrong memory space.
>
> Fixes: 9fdca4da4d8c (IB/SA: Split struct sa_path_rec based on IB ands
> ROCE specific fields)
>
> Signed-off-by: Qing Huang <qing.huang@...cle.com>
> ---
> drivers/infiniband/core/cm.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c index
> 4c4b465..af4f6a0 100644
> --- a/drivers/infiniband/core/cm.c
> +++ b/drivers/infiniband/core/cm.c
> @@ -1856,7 +1856,9 @@ static int cm_req_handler(struct cm_work *work)
> cm_process_routed_req(req_msg, work->mad_recv_wc->wc);
>
> memset(&work->path[0], 0, sizeof(work->path[0]));
> - memset(&work->path[1], 0, sizeof(work->path[1]));
> + if (cm_req_has_alt_path(req_msg))
> + memset(&work->path[1], 0, sizeof(work->path[1]));
> +
> grh = rdma_ah_read_grh(&cm_id_priv->av.ah_attr);
> ret = ib_get_cached_gid(work->port->cm_dev->ib_device,
> work->port->port_num,
> @@ -3823,8 +3825,8 @@ static void cm_recv_handler(struct ib_mad_agent
> *mad_agent,
>
> switch (mad_recv_wc->recv_buf.mad->mad_hdr.attr_id) {
> case CM_REQ_ATTR_ID:
> - paths = 1 + (((struct cm_req_msg *) mad_recv_wc-
> >recv_buf.mad)->
> - alt_local_lid != 0);
> + paths = 1 + cm_req_has_alt_path(
> + (struct cm_req_msg *)mad_recv_wc-
> >recv_buf.mad);
> event = IB_CM_REQ_RECEIVED;
> break;
> case CM_MRA_ATTR_ID:
> --
> 2.9.3
>
Thanks for the patch. Few weeks back I came across this bug and fix [1] is merged now by Doug.
[1] has one additional fix in cm_format_req_event() function as well.
[1] https://patchwork.kernel.org/patch/10015997/
Powered by blists - more mailing lists